Tuesday, October 25, 2011

McAfee Says Duqu No Threat To Utilities

Security vendor McAfee has told utilities that the Duqu malware posed no threat, a concern raised by its similarities to the Stuxnet worm that attacked industrial control systems in Iran’s nuclear facility last year.

In a conference call Monday, David Hatchell, utilities account manager for McAfee, said there was “nothing to worry about at this point.”

“It (Duqu) is not targeting industrial control systems that we know of, and it’s not targeting any energy (companies) as far as we know,” Hatchell said.

[...]

“We can clearly see that this is used for espionage,” Peter Szor, senior director of research at McAfee Labs, said during the conference call. Very different industries have been targeted, including a hotel chain. While there was no confirmation from Iran, military industries in the country also could have been targeted. “Basically the goal of the malware is speculation at this point,” he said.

[...]

Szor said the company believes the drivers for Duqu were compiled in November 2010. The keylogger portion of Duqu, which records keyboard strokes, was compiled three months earlier. Szor believes earlier variants of Duqu may have been used to steal data in preparation for the Stuxnet attack. “That’s why I think personally that Duqu was a bit earlier than Stuxnet,” he said.

Variations of Duqu have been confirmed in England, Iran and the U.S., with reports of the Trojan in Austria, Hungary and Indonesia, McAfee said. Similarities to Stuxnet include the same malware-hiding rootkit, use of a stolen certificate authority from Taiwan to enable installation and a set timeframe for operation. Duqu was timed to delete itself after 36 days and the certificate was stolen from C-Media Electronics, according to McAfee.